The Internet has served as a disruptive technology among both social worlds and machine worlds, introducing new freedoms of access to information and remote control of devices. Innovations in mobile and industrial use of the Internet have been employed to access devices that are embedded within other systems and may be accessed and controlled remotely. This has developed into a market for the Internet of Things “IoT”, which comprises computing devices that use the Internet as the communications transmission medium for collecting, transmitting and receiving data to control processes within the device, for example, home thermostats, medical instrumentation, controllers of pipelines and energy systems, and self-driving vehicles, to name only a few embodiments. The growth of disruptive Internet and communications technologies, however, introduces new threats to critical infrastructures implicating privacy, security, safety, and interoperability. Quite simply, the large number of computing devices connected through the Internet is a tantalizing target for hackers.
The growth of process control and monitoring of computing devices on the IoT, or more generally on any network, is characterized by an increasing number operating in a headless mode with no attachment to a human interface device such as a keyboard, display, or mouse; and therefor having no human intervention in their functioning. The problem of managing such computing devices is exacerbated not only by their growing ubiquity, but by their headless operation. For convenience, these headless computing devices are referred to herein as “HCD” (or in the plural as “HCDs”), but it will be readily apparent to one skilled in the art that such headless state is just a description and not a necessary condition for practice of the invention. In other words, HCD refers to a computing device, regardless of the presence, or lack thereof, of input means.
Cybercriminals have been known to insert latent malicious code into an HCD operating system, thereby allowing the malicious code opportunistic entry into the HCD's programs during the next reboot of the operating system. In order to thwart such attacks it is possible to place a clean copy of the operating system on a separate drive, preferably having a form factor of a USB flash drive, or within a Trusted Computing Base within the HCD itself. When that is done, however, it is advantageous to also have the external or internal drive encrypted and protected by a passcode. One example of an external encrypting flash drive with an operating system on-board is the WorkSafe Pro™ bootable Windows To Go™ flash drive from SPYRUS, Inc.
Encrypting flash drives and encryption protected Trusted Computing Bases are also useable in computation-intensive system process control applications in manufacturing, robotics and pharmaceutical plants and surveillance and monitoring applications in nuclear facilities or military operations where networks of HCDs may contain highly sensitive information or programs. All that is necessary, then, is to enter the appropriate passcode at reboot to permit the HCD to load a safe copy of the operating system or gain access to required confidential data or programs.
To minimize the opportunity window of potential vulnerability the HCD preferably remains off-line, and performs a reboot and reload of its operating systems and application programs and data when it comes on-line, either in response to a local command (such as turning on the local device) or command from a remote control center. Either case, however, requires entry of the required passcode to unlock the protected operating system and stored data.
Storage of the passcode in the clear on an HCD in either hardware or software is not an option, and because HCDs are often placed in hostile or dangerous high-risk environments, use of the Internet as the transmission medium to “reach back” to communicate with a remote command center in order to receive the passcode is risky.
Communicating with one or more remote control centers is also difficult because storing the IP address of one or more remote command centers at the HCD is inadvisable (as it exposes the remote centers to attack) or impracticable (as the information would be ephemeral and unavailable before reboot is complete). Manually entering the passcode at the local HCD is also not an option, either because the HCD lacks any input means, or requiring operator intervention is infeasible (due to the multiplicity of devices, or otherwise).
The ease of access to the Internet, for example by any of billions of smartphones or computers, has lowered any barrier to malicious cyberattacks on any computing and communications devices using the Internet for a transmission medium, many of which are part of critical infrastructures around the globe, including smart grid power systems, communications systems, manufacturing plants and hospital operating and patient recovery rooms. Cisco, Inc., predicts there will be 50 billion devices connected to the Internet by 2020 and that the global IoT economic value will be $19 trillion for companies and industries worldwide in the next decade. Across health-care applications, Internet of Things technology could have an economic impact of $1.1 trillion to $2.5 trillion per year by 2025.
The Center for Strategic and International Studies 2014 estimates that cyberattacks funded by nation-states with basically unlimited economic and technology resources can also account for the loss of 350,000 jobs in the U.S. and Europe. Worse yet, the threats to national security from attacks on IOT devices that will be used to control power grids, pipelines, communications systems, banking systems, and transportation vehicles represents threats to national security that are too devastating to be measured. Breaches can be executed by adversaries from all quarters. According to a 2014 study cyberattacks cost the global economy about $445 billion.
Independent of the IoT, the field of cryptography has seen development of means for secret sharing (also called secret splitting) which are methods for distributing a secret amongst a group of participants, each of whom is allocated a share of the secret. The secret can be reconstructed only when a threshold number of shares are combined together; in that case individual shares are of no use on their own.
For example, in one type of secret sharing scheme there is one dealer and n players. The dealer gives a share of the secret to the players, but only when specific conditions are fulfilled will the players be able to reconstruct the secret from their shares. The dealer accomplishes this by giving each player a share in such a way that any group of t (for threshold) or more players can together reconstruct the secret but no group of fewer than t players can. Such a system is called a (t, n)-threshold scheme, or a K of N secret sharing mechanism (with K being the threshold and N being the number of shares) as used in commonly owned patent Jueneman, et al., U.S. Pat. No. 9,049,010. Other forms of secret splitting or extensions thereof, including how to split a secret, will be known to those of ordinary skill in the art with reference to this disclosure. Reconstructing a passcode from such shares rather than storing and distributing passcodes, would greatly enhance the security of the overall system.
Therefore, there is a need for a method to maintain security for HCD logon by transmitting share information to HCDs from one or more remote servers and reconstructing the passcode only when needed.